linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] PM / devfreq: stopping the governor before device_unregister()
@ 2018-08-30 10:02 ` vincent.donnefort
  2018-08-31  8:52   ` Chanwoo Choi
  0 siblings, 1 reply; 4+ messages in thread
From: vincent.donnefort @ 2018-08-30 10:02 UTC (permalink / raw)
  To: myungjoo.ham, kyungmin.park, cw00.choi, linux-pm, linux-kernel
  Cc: john.reitan, beata.michalska, Vincent Donnefort

From: Vincent Donnefort <vincent.donnefort@arm.com>

device_release() is freeing the resources before calling the device
specific release callback which is, in the case of devfreq, stopping
the governor.

It is a problem as some governors are using the device resources. e.g.
simpleondemand which is using the devfreq deferrable monitoring work. If it
is not stopped before the resources are freed, it might lead to a use after
free.

Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
Reviewed-by: John Einar Reitan <john.reitan@arm.com>

diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index 4c49bb1..4e43830 100644
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -534,10 +534,6 @@ static void devfreq_dev_release(struct device *dev)
 	list_del(&devfreq->node);
 	mutex_unlock(&devfreq_list_lock);
 
-	if (devfreq->governor)
-		devfreq->governor->event_handler(devfreq,
-						 DEVFREQ_GOV_STOP, NULL);
-
 	if (devfreq->profile->exit)
 		devfreq->profile->exit(devfreq->dev.parent);
 
@@ -672,7 +668,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
 	list_del(&devfreq->node);
 	mutex_unlock(&devfreq_list_lock);
 
-	device_unregister(&devfreq->dev);
+	devfreq_remove_device(devfreq);
 	devfreq = NULL;
 err_dev:
 	if (devfreq)
@@ -693,6 +689,9 @@ int devfreq_remove_device(struct devfreq *devfreq)
 	if (!devfreq)
 		return -EINVAL;
 
+	if (devfreq->governor)
+		devfreq->governor->event_handler(devfreq,
+						 DEVFREQ_GOV_STOP, NULL);
 	device_unregister(&devfreq->dev);
 
 	return 0;
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] PM / devfreq: stopping the governor before device_unregister()
  2018-08-30 10:02 ` [PATCH] PM / devfreq: stopping the governor before device_unregister() vincent.donnefort
@ 2018-08-31  8:52   ` Chanwoo Choi
  2018-09-21 15:40     ` [PATCH v2] PM / devfreq: Stop " vincent.donnefort
       [not found]     ` <CGME20180921154052epcas1p4d4ba6b7435a50f1f77ae85ceda594b69@epcms1p1>
  0 siblings, 2 replies; 4+ messages in thread
From: Chanwoo Choi @ 2018-08-31  8:52 UTC (permalink / raw)
  To: vincent.donnefort, myungjoo.ham, kyungmin.park, linux-pm, linux-kernel
  Cc: john.reitan, beata.michalska

Hi,

On 2018년 08월 30일 19:02, vincent.donnefort@arm.com wrote:
> From: Vincent Donnefort <vincent.donnefort@arm.com>
> 
> device_release() is freeing the resources before calling the device
> specific release callback which is, in the case of devfreq, stopping
> the governor.
> 
> It is a problem as some governors are using the device resources. e.g.
> simpleondemand which is using the devfreq deferrable monitoring work. If it
> is not stopped before the resources are freed, it might lead to a use after
> free.
> 
> Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
> Reviewed-by: John Einar Reitan <john.reitan@arm.com>
> 
> diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
> index 4c49bb1..4e43830 100644
> --- a/drivers/devfreq/devfreq.c
> +++ b/drivers/devfreq/devfreq.c
> @@ -534,10 +534,6 @@ static void devfreq_dev_release(struct device *dev)
>  	list_del(&devfreq->node);
>  	mutex_unlock(&devfreq_list_lock);
>  
> -	if (devfreq->governor)
> -		devfreq->governor->event_handler(devfreq,
> -						 DEVFREQ_GOV_STOP, NULL);
> -
>  	if (devfreq->profile->exit)
>  		devfreq->profile->exit(devfreq->dev.parent);
>  
> @@ -672,7 +668,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
>  	list_del(&devfreq->node);
>  	mutex_unlock(&devfreq_list_lock);
>  
> -	device_unregister(&devfreq->dev);
> +	devfreq_remove_device(devfreq);
>  	devfreq = NULL;
>  err_dev:
>  	if (devfreq)
> @@ -693,6 +689,9 @@ int devfreq_remove_device(struct devfreq *devfreq)
>  	if (!devfreq)
>  		return -EINVAL;
>  
> +	if (devfreq->governor)
> +		devfreq->governor->event_handler(devfreq,
> +						 DEVFREQ_GOV_STOP, NULL);
>  	device_unregister(&devfreq->dev);
>  
>  	return 0;
> 

As description of this patch, if devfreq_wq is executed and then execute
the 'devfreq->governor->get_target_freq' between step1 and step2
after already freed the 'dev' related resource, it might happen the problem
because the registered callback of get_target_freq requires the 'dev' resource.

device_unregister(dev)
	step 1. device_del(dev)
		<- if devfreq_wq is executed
	step 2. put_device(dev)
		device_release()
			devfreq_dev_release()
				stop the governor for specific devfreq instance

It looks good to me. Stop the governor before calling device_unregister().
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>				

-- 
Best Regards,
Chanwoo Choi
Samsung Electronics

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH v2] PM / devfreq: Stop the governor before device_unregister()
  2018-08-31  8:52   ` Chanwoo Choi
@ 2018-09-21 15:40     ` vincent.donnefort
       [not found]     ` <CGME20180921154052epcas1p4d4ba6b7435a50f1f77ae85ceda594b69@epcms1p1>
  1 sibling, 0 replies; 4+ messages in thread
From: vincent.donnefort @ 2018-09-21 15:40 UTC (permalink / raw)
  To: myungjoo.ham, kyungmin.park, cw00.choi, linux-pm, linux-kernel
  Cc: john.reitan, beata.michalska, Vincent Donnefort

From: Vincent Donnefort <vincent.donnefort@arm.com>

device_release() is freeing the resources before calling the device
specific release callback which is, in the case of devfreq, stopping
the governor.

It is a problem as some governors are using the device resources. e.g.
simpleondemand which is using the devfreq deferrable monitoring work. If it
is not stopped before the resources are freed, it might lead to a use after
free.

Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
Reviewed-by: John Einar Reitan <john.reitan@arm.com>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>

diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index 4c49bb1..4e43830 100644
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -534,10 +534,6 @@ static void devfreq_dev_release(struct device *dev)
 	list_del(&devfreq->node);
 	mutex_unlock(&devfreq_list_lock);
 
-	if (devfreq->governor)
-		devfreq->governor->event_handler(devfreq,
-						 DEVFREQ_GOV_STOP, NULL);
-
 	if (devfreq->profile->exit)
 		devfreq->profile->exit(devfreq->dev.parent);
 
@@ -672,7 +668,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
 	list_del(&devfreq->node);
 	mutex_unlock(&devfreq_list_lock);
 
-	device_unregister(&devfreq->dev);
+	devfreq_remove_device(devfreq);
 	devfreq = NULL;
 err_dev:
 	if (devfreq)
@@ -693,6 +689,9 @@ int devfreq_remove_device(struct devfreq *devfreq)
 	if (!devfreq)
 		return -EINVAL;
 
+	if (devfreq->governor)
+		devfreq->governor->event_handler(devfreq,
+						 DEVFREQ_GOV_STOP, NULL);
 	device_unregister(&devfreq->dev);
 
 	return 0;
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* RE: [PATCH v2] PM / devfreq: Stop the governor before device_unregister()
       [not found]     ` <CGME20180921154052epcas1p4d4ba6b7435a50f1f77ae85ceda594b69@epcms1p1>
@ 2018-09-27  5:20       ` MyungJoo Ham
  0 siblings, 0 replies; 4+ messages in thread
From: MyungJoo Ham @ 2018-09-27  5:20 UTC (permalink / raw)
  To: Kyungmin Park, Chanwoo Choi, linux-pm, linux-kernel
  Cc: john.reitan, beata.michalska, Vincent Donnefort

> From: Vincent Donnefort <vincent.donnefort@arm.com>
> 
> device_release() is freeing the resources before calling the device
> specific release callback which is, in the case of devfreq, stopping
> the governor.
> 
> It is a problem as some governors are using the device resources. e.g.
> simpleondemand which is using the devfreq deferrable monitoring work. If it
> is not stopped before the resources are freed, it might lead to a use after
> free.
> 
> Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
> Reviewed-by: John Einar Reitan <john.reitan@arm.com>
> Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>

Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>


Cheers,
MyungJoo

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-09-27  5:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CGME20180830100409epcas3p266dc05fdd02cd2c086a4355e9a481007@epcas3p2.samsung.com>
2018-08-30 10:02 ` [PATCH] PM / devfreq: stopping the governor before device_unregister() vincent.donnefort
2018-08-31  8:52   ` Chanwoo Choi
2018-09-21 15:40     ` [PATCH v2] PM / devfreq: Stop " vincent.donnefort
     [not found]     ` <CGME20180921154052epcas1p4d4ba6b7435a50f1f77ae85ceda594b69@epcms1p1>
2018-09-27  5:20       ` MyungJoo Ham

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).